CSC 382: Computer SecuritySlide #1 Firewalls. CSC 382: Computer SecuritySlide #2 Firewalls 1.What is a firewall? 2.Types of Firewalls 3.Packet Filtering.

Slides:



Advertisements
Similar presentations
Network Security Essentials Chapter 11
Advertisements

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Firewalls Uyanga Tserengombo
IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Security Firewall Firewall design principle. Firewall Characteristics.
Chapter 11 Firewalls.
Lecture 25: Firewalls Introduce several types of firewalls
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Firewalls and Intrusion Detection Systems
Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Chapter 20 Firewalls.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
Intranet, Extranet, Firewall. Intranet and Extranet.
FIREWALL Mạng máy tính nâng cao-V1.
Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security Firewalls.
Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.
Chapter 6: Packet Filtering
Firewalls A note on the use of these ppt slides:
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
1 Internet Firewalls What it is all about Concurrency System Lab, EE, National Taiwan University R355.
Firewalls, etc.. Network Security2 Outline Intro Various firewall technologies: –Static Packet Filtering (or nonstateful packet filter) –Dynamic Packet.
1 Chapter 20: Firewalls Fourth Edition by William Stallings Lecture slides by Lawrie Brown(modified by Prof. M. Singhal, U of Kentucky)
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
Internet and Intranet Fundamentals Class 9 Session A.
CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security Network Security.
CSC 382: Computer SecuritySlide #1 Firewalls. CSC 382: Computer SecuritySlide #2 Single Host Firewall Simplest type of firewall—one host acts as a gateway.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Firewall Tutorial Hyukjae Jang Nc lab, CS dept, Kaist.
CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration Access Lists.
Karlstad University Firewall Ge Zhang. Karlstad University A typical network topology Threats example –Back door –Port scanning –…–…
1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.
Security fundamentals Topic 10 Securing the network perimeter.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
1 An Introduction to Internet Firewalls Dr. Rocky K. C. Chang 12 April 2007.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
1 CNLab/University of Ulsan Chapter 19 Firewalls  Packet Filtering Firewall  Application Gateway Firewall  Firewall Architecture.
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
Security fundamentals
Firewall.
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
CIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems
Introduction to Networking
* Essential Network Security Book Slides.
Firewalls Purpose of a Firewall Characteristic of a firewall
POOJA Programmer, CSE Department
Firewalls By conventional definition, a firewall is a partition made
Firewalls Jiang Long Spring 2002.
دیواره ی آتش.
Firewalls.
Firewalls Chapter 8.
Introduction to Network Security
Session 20 INST 346 Technologies, Infrastructure and Architecture
Presentation transcript:

CSC 382: Computer SecuritySlide #1 Firewalls

CSC 382: Computer SecuritySlide #2 Firewalls 1.What is a firewall? 2.Types of Firewalls 3.Packet Filtering 4.Proxying 5.Firewall Architectures 6.Bastion Hosts 7.Tunneling and VPNs

CSC 382: Computer SecuritySlide #3 What is a Firewall? A software or hardware component that restricts network communication between two computers or networks. In buildings, a firewall is a fireproof wall that restricts the spread of a fire. Network firewall prevents threats from spreading from one network to another.

CSC 382: Computer SecuritySlide #4 Internet Firewalls Many organizations/individuals deploy a firewall to restrict access to their network from Internet.

CSC 382: Computer SecuritySlide #5 What is a Firewall? (2) A mechanism to enforce security policy –Choke point that traffic has to flow through. –ACLs on a host/network level.

What is a Firewall? (2) Policy Decisions: –What traffic should be allowed into network? Integrity: protect integrity of internal systems. Availability: protection from DOS attacks. –What traffic should be allowed out? Confidentiality: protection from data leakage. CSC 382: Computer SecuritySlide #6

CSC 382: Computer SecuritySlide #7 Types of Firewalls Packet Filters –Access control based on layer 3+4 (IP + TCP/UDP) headers, such as source and dest address and port. Circuit-level Gateways –TCP (layer 4) gateway –Relay computer copies byte stream from client to server and vice versa. Application Gateways –Application protocol gateway.

CSC 382: Computer SecuritySlide #8 Packet Filtering Forward or drop packets based on TCP/IP header information, most often: –IP source and destination addresses –Protocol (ICMP, TCP, or UDP) –TCP/UDP source and destination ports –TCP Flags, especially SYN and ACK –ICMP message type Dual-homed hosts also make decisions based on: –Network interface the packet arrived on. –Network interface the packet will depart on.

CSC 382: Computer SecuritySlide #9 Filter Actions Pass –Forward acceptable packet on to destination. Drop –Drop unacceptable packets. Log –Record action taken on packet. –Use syslog to log to internal loghost.

CSC 382: Computer SecuritySlide #10 Where to Packet Filter? Gateway Router –Filtering at interface between networks allows control via a choke point. –Can filter spoofed IP addresses. Host –Filter packets on each individual computer. –How to manage thousands of packet filters?

CSC 382: Computer SecuritySlide #11 Ingress/Egress Filtering Block spoofed IP addresses Ingress Filtering Drop packets arriving on external interface whose source IP addresses claims to be from internal network. Egress Filtering Drop packets arriving on internal interface whose source IP address is not from internal network.

CSC 382: Computer SecuritySlide #12 Creating a Packet Filter 1.Create a security policy for a service. ex: allow only outgoing telnet service 2.Specify security policy in terms of which types of packets are allowed/forbidden. 3.Write packet filter in terms of vendor’s filtering language.

CSC 382: Computer SecuritySlide #13 Example: outgoing telnet TCP-based service Outbound packets –Destination port is 23 –Source port is random port >1023 –Outgoing connection established by first packet with no ACK flag set. –Following packets will have ACK flag set. Incoming packets –Source port is 23, as server runs on port 23. –Dest port is high port used for outbound packets. –All incoming packets will have ACK flag set.

CSC 382: Computer SecuritySlide #14 Example: outgoing telnet DirSrcDestProtoS.PortD.PortACK?Action OutIntAnyTCP>102323EitherAccept InAnyIntTCP23>1023YesAccept EitherAny EitherDeny 1.Rule allows outgoing telnet packets. 2.Rule allows response packets back in. 3.Rule denies all else, following Principle of Fail- Safe Defaults.

CSC 382: Computer SecuritySlide #15 Example: outgoing telnet Fedora Linux /etc/sysconfig/iptables -A RH-Firewall-1-INPUT -m state --state NEW - m tcp -p tcp --dport 23 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED –m tcp –d tcp –sport 23 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT

CSC 382: Computer SecuritySlide #16 Limitations/Problems Must know details of TCP/UDP port usage of protocol to create filters. Applications only identified by port number –What if external host is running a different TCP protocol on port 23? Order of rules important –Difficulties when adding a new service filter to an existing ruleset.

CSC 382: Computer SecuritySlide #17 Example: SMTP DirSrcDestProtoS.PortD.PortACK?Action InExtIntTCPAny25EitherAccept OutIntExtTCPAny>1023EitherAccept OutIntExtTCPAny25EitherAccept InExtIntTCPAny>1023EitherAccept EitherAny EitherDeny Policy: Allow incoming and outgoing SMTP, deny all other services.

CSC 382: Computer SecuritySlide #18 Example: SMTP Rules 1+2 allow outgoing SMTP. Rules 3+4 allow incoming SMTP. Rule 5 denies all other protocols. Problem: –What about external user attacking an internal X server on port 23? –Rules allows all connections where both ends use ports >1023

CSC 382: Computer SecuritySlide #19 Example: SMTP DirSrcDestProtoS.PortD.PortACK?Action InExtIntTCP>102325EitherAccept OutIntExtTCP25>1023YesAccept OutIntExtTCP>102325EitherAccept InExtIntTCP25>1023YesAccept EitherAny EitherDeny Solution: Revise rules to consider source port and ACK flag.

CSC 382: Computer SecuritySlide #20 Packet Filtering Summary Advantages: –One packet filter can protect an entire network –Efficient (requires little CPU) –Supported by most routers Disadvantages: –Difficult to configure correctly Must consider rule set in its entirety –Difficult to test completely –Performance penalty for complex rulesets Stateful packet filtering much more expensive –Enforces ACLs at layer 3 + 4, without knowing any application details

CSC 382: Computer SecuritySlide #21 Stateful Packet Filters Is there a TCP session? Saves packet data to keep state, in order to reconstruct connection at IP level –Even though UDP has no ACK flag, can construct connection by remembering outgoing packet for UDP 53 (DNS) and know that a response should come from that port to the source port of original packet.

Proxy-Based Firewalls Figure 2-18 on page 64 Can examine packets at application layer –Examine FTP packet stream for PASV/PORT commands to find return port for ftp data stream. CSC 382: Computer SecuritySlide #22

CSC 382: Computer SecuritySlide #23 Proxy Servers Proxy host relays Transport/App connections –Client makes connection to proxy. –Proxy forwards connection to server.

Proxy Servers Proxy provides: –Access Control Proxies specified src + dest ports / IP addrs. –Logging –Anonymity CSC 382: Computer SecuritySlide #24

CSC 382: Computer SecuritySlide #25 Single Host Firewall Simplest type of firewall—one host acts as a gateway between internal and external networks.

CSC 382: Computer SecuritySlide #26 Types of Single Host Firewall Screening Router –Organizations already have a router –Most routers have packet filtering capabilities –Advantages: cheap, simple –Disadvantages: can only do packet filtering Dual-homed Host –Server with two NICs –Advantages Configurable: packet filter, circuit proxy, app proxy –Disadvantages Lower performance than router

CSC 382: Computer SecuritySlide #27 Screened Subnet Isolates internal network from external networks by means of a perimeter network, called a DMZ.

CSC 382: Computer SecuritySlide #28 Screened Subnet Bastion hosts isolated from internal network –Compromise of a bastion host doesn’t directly compromise internal network. –Bastion hosts also can’t sniff internal traffic, since they’re on a different subnet. No single point of failure –Attacker must compromise both exterior and interior routers to gain access to internal net. Advantages: greater security Disadvantages: higher cost and complexity

CSC 382: Computer SecuritySlide #29 Screened Subnet External Access –Filtered: via interior + exterior routers –Proxied: use a bastion host as a proxy server Bastion Hosts –Proxy server –External web/ftp servers –External DNS server – gateway

CSC 382: Computer SecuritySlide #30 Screened Subnet Exterior Router –Simple filtering rules Ingress/Egress Filtering DOS prevention Simple ACLs –May be controlled by ISP Interior Router –Complex filtering rules. –Must protect internal network from bastion hosts as well as external network. Recommendation: use different hardware/software for interior and exterior routers.

CSC 382: Computer SecuritySlide #31 Tunneling Tunneling: Encapsulation of one network protocol in another protocol –Carrier Protocol: protocol used by network through which the information is travelling –Encapsulating Protocol: protocol (GRE, IPsec, L2TP) that is wrapped around original data –Passenger Protocol: protocol that carries original data

CSC 382: Computer SecuritySlide #32 ssh Tunneling SSH can tunnel TCP connections –Carrier Protocol: IP –Encapsulating Protocol: ssh –Passenger Protocol: TCP on a specific port POP-3 forwarding ssh -L 110:pop3host:110 -l user pop3host –Uses ssh to login to pop3host as user –Creates tunnel from port 110 (leftmost port #) on localhost to port 110 (rightmost post #)of pop3host –User configures mail client to use localhost as POP3 server, then proceeds as normal

CSC 382: Computer SecuritySlide #33 Virtual Private Network (VPN) Two or more computers or networks connected by a private tunnel through a public network (typically the Internet.) Requirements: –Confidentiality: encryption –Integrity: MACs, sequencing, timestamps Firewall Interactions –Tunnels can bypass firewall –Firewall is convenient place to add VPN features

CSC 382: Computer SecuritySlide #34 Firewall Limitations Cannot protect from internal attacks –May be able to limit access with internal firewalls to a segment of your network. Cannot protect you from user error –Users will still run trojan horses that make it past your AV scanner. Firewall mechanism may not precisely enforce your security policy.

CSC 382: Computer SecuritySlide #35 Key Points Almost everything is spoofable. Denial of service attacks are easy. Port scanning –Stealth –OS Fingerprinting Firewalls –Packet filtering –Proxying –DMZ

CSC 382: Computer SecuritySlide #36 References 1.Steven Bellovin, “Security Problems in the TCP/IP Protocol Suite”, Computer Communication Review, Vol. 19, No. 2, pp , April Matt Bishop, Introduction to Computer Security, Addison-Wesley, William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and Internet Security, 2 nd edition, Fyodor, “The Art of Port Scanning,” Fyodor, NMAP man page, Fyodor, “Remote OS detection via TCP/IP Stack FingerPrinting,” Phrack 54, 7.Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3 rd edition, O’Reilly & Associates, Johnny Long, Google Hacking for Penetration Testers, Snygress, Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed, 3 rd edition, McGraw-Hill, Ed Skoudis, Counter Hack, Prentice Hall, Elizabeth Zwicky, Brent Chapman, Simon Cooper, Building Internet Firewalls, 2 nd edition, O’Reilly & Associates, 2000.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.